Target credit card breach breeds worry

TAMPA

Robert Spoden shops at Target a few times a month, usually spending $50 to $75 on food, clothes and sporting goods. But when Visa called last week to alert him about purchases totalling more than $2,700, he knew something was amiss.

"Initially, I was shocked that someone tried to do this with our credit card,'' he said. "But I wasn't surprised. It's a sign of the times and what's going on in our country.''

Spoden was aware of Target's data breach during the holiday shopping season. The retailer said cyber criminals stole data from 40 million credit and debit cards used between Nov. 27 and Dec. 15. The hackers also snatched personal information — including email addresses, phone numbers, names and home addresses — of another 70 million people.

On Monday, Chase Visa's fraud control department notified Spoden that his card had been used four times at a Target store in Tampa. Two of the transactions were for identical amounts: $640.93. The others were for $1,067.86 and $424. As a result, Visa was canceling his card and reissuing a new one.

As a courtesy to Target, he said, Spoden called the store along Gandy Boulevard, where he shops the most. Even though he knew he wasn't liable for the charges, he figured the store would want his information to help with the investigation.

They didn't. An employee instructed him to call Target's customer service line, sign up for a year of free credit monitoring and, most baffling to him, file a police report.

"Why should I be the one to call the police when they're incurring the loss?'' Spoden said. "What are the local police doing to do?''

• • •

Going after credit card fraud is a daunting task. Credit and debit card fraud losses worldwide reached more than $11 billion in 2012, up 15 percent over the previous year, according to the Nilson Report, a publication about the payment industry. Devoting resources to every case is impossible.

"We do investigations and are able to make arrests, but they are complicated cases and people should do what they can to protect themselves,'' said Tampa police spokesman Andrea Davis.

The Tampa Police Department has about three dozen detectives assigned to property-related crimes, a broad category that covers almost everything except murders and crimes involving sex, gangs and major drugs. Several other detectives work in the fraud unit but mostly investigate tax fraud and crimes against businesses.

In January, Tampa police received more than 100 reports of fraudulent credit card use — a small fraction of what actually occurs, Davis said.

Target has said it is working with law enforcement officials. On Wednesday, Attorney General Eric Holder said the Justice Department is committed to tracking down the thieves.

Spoden, 65, wonders what steps, if any, are being taken at the local level. Visa would not give him details, he said, but must know exactly where and when the illegal transactions took place. Did investigators look at surveillance video? Did they interview store employees?

Target isn't talking specifics about its investigation. A corporate spokeswoman said people suspecting suspicious activity should notify their credit card company.

The Minneapolis-based retailer hasn't said how many of its 110 million shoppers have been actual victims of the breach. So far among its REDcard Visa credit and debit card holders, Target has seen "low levels of incremental fraud'' beyond what normally occurs, said spokeswoman Molly Snyder.

Similarly, Visa, one of the major credit card companies picking up most of the tab for the heist, has not released an estimated amount. Spokeswoman Rosetta Jones said the company doesn't break out fraud data by retailer but, on average, fraud amounts to about 6 cents on every $100 transacted — 0.06 percent.

•••

While the banks that issued the credit cards will absorb the cost of fraudulent sales initially, Target is not off the hook. Once the banks can tally their losses, they are expected to file lawsuits against Target and issue fines to recoup some of the money, said Jake Kouns, chief information security officer for Risk Based Security.

"Some of the lawsuits, penalties and fines could get ugly,'' he said. "We know that this is going to cost the banks and Target a lot of money.''

Already, dozens of lawsuits nationwide have been filed against Target by private individuals, including one from a Target shopper in Tampa alleging the retailer failed to protect her personal and private financial information.

Target has $100 million of cyber insurance and $65 million of directors and officers liability coverage, according to press reports. While seemingly a lot of money, Target could go through it quickly, Kouns said. Illegal cards made from the stolen information will likely continue coming into the market for the next few years. Many of the stolen card numbers don't expire until 2016.

Risk Based Security, a Richmond, Va.-based company that tracks data breaches, counted 2,164 breaches in 2013 that exposed more than 822 million records. That's the most since the company started recording breaches in 2005, when the number of incidents was 158.

And the future doesn't look much better. Since the Target breach, Neiman Marcus and Michaels have announced similar incidents.

"It's not slowing down,'' Kouns said. "What we're doing right now is not working. Attackers are moving faster and are better equipped than the defenders.''

•••

In the end, the cost of security breaches will be passed on to consumers in the form of increased prices and credit cards fees, said Sajeev Varki, an associate marketing professor at the University of South Florida. Everyone will pay a few cents more as the cost of doing business on plastic.

But will Target's breach persuade shoppers to go elsewhere? Probably not, he said.

"If they think someone is targeting Target then consumers will be more likely to switch,'' Varki said. "But if they feel like it was a random attack, they will stay with the store and figure it will be someone else's turn.''

Spoden isn't blaming Target for his card getting hacked but has lost confidence in the retailer and fears similar breaches will just get more common.

He believes the most effective way to reduce checkout fraud would be to require shoppers to show identification when using a credit or debit card, a policy already in effect for some retailers. It could slow down the lines and offend some customers, but it might have stopped criminals from using his card.

In the meantime, he's no longer shopping at Target.

"We love Target but we're in a holding pattern," he said. "We're waiting for something to come back from Target that says, 'We've got this thing covered and you can have faith shopping in our stores.' ''

Susan Thurston can be reached at sthurston@tampabay.com or (813) 225-3110. Follow @susan_thurston on Twitter.